BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Fortinet warns CVE-2020-12812 2FA bypass via case glitch now

Renewed abuse of CVE-2020-12812 lets FortiOS SSL VPN users bypass 2FA due to a FortiGate/LDAP username case-sensitivity mismatch—patches and mitigations available.

  • Fortinet reported renewed abuse of CVE-2020-12812 allowing SSL VPN users to bypass two-factor authentication under specific configurations.
  • The bypass stems from a case-sensitivity mismatch between FortiGate username matching and LDAP directory behavior.
  • Fixes were released in 2020; short-term mitigations include disabling username case sensitivity with specific commands.

Fortinet on December 24, 2025 issued an advisory saying it observed “recent abuse” of a five-year-old FortiOS SSL VPN flaw, CVE-2020-12812. The flaw can let a user log in without the second authentication factor when the username case differs from the local account entry.

- Advertisement -

The issue is an improper authentication vulnerability in FortiOS SSL VPN that arises when local users are configured for two-factor authentication (2FA) but reference a remote authentication method such as LDAP. “This happens when two-factor authentication is enabled in the ‘user local’ setting, and that user authentication type is set to a remote authentication method (eg, LDAP),” the advisory noted. LDAP is a directory protocol used to store and retrieve user account information. Two-factor authentication (2FA) requires two forms of verification to grant access.

Successful exploitation requires three conditions: local user entries on the FortiGate with 2FA that reference LDAP; those users must belong to an LDAP group; and at least one LDAP group that includes the two-factor users must be configured on the FortiGate and used in an authentication policy. Because FortiGate treated usernames as case-sensitive while LDAP often does not, a username typed with different case can fail to match the local entry and instead authenticate directly against LDAP.

The flaw had seen active exploitation in the wild by multiple threat actors in prior years. Vendor fixes released in July 2020 included FortiOS 6.0.10, 6.2.4, and 6.4.1. For older versions, Fortinet advises running: set username-case-sensitivity disable. For customers on FortiOS 6.0.13, 6.2.10, 6.4.7, 7.0.1 or later, run: set username-sensitivity disable. “With username-sensitivity set to disabled, FortiGate will treat jsmith, JSmith, JSMITH, and all possible combinations as identical…”

As an additional mitigation, remove any unnecessary secondary LDAP group. Impacted customers should contact support and reset credentials if they find evidence of admin or VPN users authenticating without 2FA. Related links: exploit image (https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWq72oFKp6biq3Hf_tsdl9xZeVhxI_BGzBaKfw1DiMD2ldey-KGb8qk27HJH9rt-pys9Ga94wnpRZfAYUdFW9g5_-ncNfIBaYtzsHD-GpGk0LtMaSZ0yD83PqptSkQlIuFNwa94qWlQvk3Yqz-eSpFchaeTh3VbYOXgRJ96sDTRz7dy-_ShXQu1jnzQXhx/s790-rw-e365/fortinet-exploit.jpg), additional resources (https://thehackernews.uk/filefix-d), (https://thehackernews.uk/zscaler-ai-event-d).

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

AI-Assisted TuxBot v3 IoT Botnet Found Riddled With Errors

Cybersecurity researchers at Palo Alto Networks Unit 42 discovered a new IoT botnet framework...

OpenAI’s GPT-Red automates AI security testing

OpenAI introduced GPT-Red, an automated AI system to find vulnerabilities in GPT models before...

Trump to Meet Senators on Crypto Ethics; Bill Near Final

President Donald Trump is scheduled to meet with senators Thursday to negotiate the unresolved...

Ostium hacked on Arbitrum, $18M lost in oracle key breach

Ostium, a decentralized perpetual futures exchange on Arbitrum, was hacked via a private key...

Blanche Faces Senate Grilling Over DOJ Crypto Unit Disband

Acting Attorney General Todd Blanche faced Senate Judiciary Committee backlash over dismantling the DOJ's...

Must Read

Top 7 BEST Crypto Trading Bots for Beginners

QUICK NAVIGATIONQuick Look: Top 3 Best Crypto Trading BotsWhat Exactly is a Crypto Trading Bot?How I Chose These Trading BotsTop 7 Crypto Trading Bots...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading